SOC - What is SOC? Understanding Risk Maturity Standards

Metropolis | Fritz Lang (1927), Google Images

Introduction

The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 14th through April 21th, 2023.

What is SOC? "System and Organization Controls" (SOC) is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. SOC reports are internal control reports created by the American Institute of Certified Public Accountants (AICPA) that examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.

Why is SOC important for business?

SOC reports are important for businesses because they provide independent validation that a service organization’s internal controls are appropriately designed and operating effectively. SOC reports can help businesses to build trust with their customers by demonstrating that they have effective internal controls in place to protect customer data. SOC reports can also help businesses to identify areas for improvement in their internal controls.

How does SOC compliance demonstrate risk maturity?

SOC compliance demonstrates risk maturity by providing independent validation that a service organization’s internal controls are appropriately designed and operating effectively. SOC reports can help businesses to identify areas for improvement in their internal controls. By demonstrating that they have effective internal controls in place to protect customer data, businesses can build trust with their customers.

Is SOC aligned with recognized standards like the NIST CSF?

Yes, SOC reports are aligned with recognized standards like the NIST Cybersecurity Framework (CSF). The NIST CSF provides a framework for organizations to manage and reduce cybersecurity risk. SOC reports can help organizations to demonstrate compliance with the NIST CSF by providing independent validation that their internal controls are appropriately designed and operating effectively.

The NIST CSF provides a framework for organizations to manage and reduce cybersecurity risk. The framework consists of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities and outcomes that are common across critical infrastructure sectors. The Framework Implementation Tiers provide a mechanism for organizations to view and understand their cybersecurity risk management practices and the degree of sophistication of those practices. The Framework Profiles enable organizations to align their cybersecurity activities with business requirements, risk tolerances, and resources.

SOC reports can help organizations to demonstrate compliance with the NIST CSF by providing independent validation that their internal controls are appropriately designed and operating effectively.

What are some common risk management frameworks?

There are several common risk management frameworks that organizations use to manage and reduce cybersecurity risk. Some examples include:

• NIST Risk Management Framework
• Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
• Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework
• ISO 31000 (series)
• Control Objectives for Information and Related Technology (COBIT)
• Threat Agent Risk Assessment (TARA)
• Factor Analysis of Information Risk (FAIR)

These frameworks provide a structured approach to identifying, assessing, and managing risk across an organization.

What are some benefits of SOC compliance?

There are several benefits of SOC compliance, including:

• More efficient operations
• Increased customer satisfaction
• Protection against lawsuits and the costs associated with them
• Long-term cost savings and loss prevention
• Increased trust with your customers
• Decreased risk of loss of sensitive data

SOC compliance can help organizations to demonstrate that they have effective internal controls in place to manage and reduce cybersecurity risk.

What is the SOC Standard?

The SOC (System and Organization Controls) standard is a set of criteria developed by the American Institute of Certified Public Accountants (AICPA) to help organizations demonstrate that they have effective internal controls in place to manage and reduce cybersecurity risk. SOC reports are used by organizations to provide assurance to their customers that they have effective controls in place to manage and reduce cybersecurity risk.

What are the parts of the SOC standard?

SOC reports are attestations of controls and processes at a service organization that may affect their user entities’ financial reporting. There are three types of SOC reports: SOC 1, SOC 2 and SOC 3.

1. SOC 1 reports are used by service organizations that provide services that could impact their clients’ financial reporting. There are two types of SOC 1 reports:
   • Type 1 reports describe the controls and their suitability at a specific point in time
   • Type 2 reports test the controls and their effectiveness over a minimum six-month period. Type 2 reports provide more evidence and detail about how the controls have been operated.
2. SOC 2 reports are used by organizations that provide services that could impact their clients’ security, availability, processing integrity, confidentiality, or privacy. The SOC 2 report includes a description of the service organization’s system and the suitability of the design and operating effectiveness of controls. The SOC 2 report is divided into five sections called Trust Services Criteria (TSC) which are security, availability, processing integrity, confidentiality and privacy. There are two types of SOC 2 reports:
   • Type 1 reports describe the controls and their suitability at a specific point in time
   • Type 2 reports test the controls and their effectiveness over a minimum six-month period. Type 2 reports provide more evidence and detail about how the controls have been operated.
3. SOC 3 reports are general use reports that can be freely distributed to anyone who needs assurance about the controls at a service organization. The SOC 3 report includes a description of the service organization’s system and the suitability of the design and operating effectiveness of controls. The SOC 3 report is also divided into five sections called Trust Services Criteria (TSC) which are
   • Security
   • Availability
   • Processing integrity
   • Confidentiality
   • Privacy
4. There are two types of SOC 3 reports:
   • Type 1 reports describe the controls and their suitability at a specific point in time
   • Type 2 reports test the controls and their effectiveness over a minimum six-month period. Type 2 reports provide more evidence and detail about how the controls have been operated.

SOC 1, SOC 2 and SOC 3 audits are designed to achieve different purposes. SOC 1 compliance is focused on financial reporting, while SOC 2 and SOC 3 have a wider view and are better suited to technology service organizations. The main difference between SOC 2 and SOC 3 is their intended audiences. When choosing which SOC to pursue, consider your company’s business model and the target audience.

SOC 1 reports are used by organizations that provide services that could impact their clients' financial reporting. SOC 2 reports are used by organizations that provide services that could impact their clients' security, availability, processing integrity, confidentiality, or privacy. The SOC 2 report includes a description of the service organization's system and the suitability of the design and operating effectiveness of controls. The SOC 2 report is divided into five sections called Trust Services Criteria (TSC) which are security, availability, processing integrity, confidentiality and privacy.

SOC 3 reports are less common than SOC 1 and SOC 2 reports. SOC 3 is a variation on SOC 2 and contains the same information as SOC 2 but it’s presented for a general audience rather than an informed one.

______________________________________________________________________________________________________________

How does a company get SOC certified?

A SOC audit is not a certification.

To obtain a SOC report, a company must engage a CPA firm to perform an audit of their controls and processes. The audit is conducted in accordance with the AICPA’s auditing standards and guidelines for SOC reports. The auditor will then issue an opinion on the effectiveness of the controls and processes that were tested.

The company must first determine which type of SOC report they need based on their business needs and the needs of their clients. Once they have determined which report they need, they will work with their auditor to identify the controls that need to be tested.

The auditor will then perform testing on those controls to determine if they are operating effectively. If there are any deficiencies found during the testing, the company will need to remediate those deficiencies before they can receive a clean opinion on their SOC report.

How does a company choose the right auditor and the right SOC report?

Choosing a SOC auditor can be a critical decision for a company. Here are some factors to consider when selecting a SOC auditor:

1. Affiliated with the AICPA or a certified CPA firm.
2. Experience and reputation in the auditing industry.
3. Qualifications of the auditor.
4. Style of communication.
5. Knowledge of tech stack.
6. SOC 2 audit cost.
7. Approach for SOC 2 auditing.

It’s important to find an auditor that has clear experience conducting SOC audits and should be able to point to examples of reports they’ve generated in the past. Ideally, they should have experience working with your specific type of service organization. Find a team that’s performed SOC audits for companies in your industry and of a similar size. Ask for peer reviews to learn more about other companies’ experiences.

______________________________________________________________________________________________________________

The right SOC report depends on the needs of the company and their clients. SOC 1 reports are used by service organizations that provide services that could impact their clients’ financial reporting. SOC 2 reports are used by organizations that provide services that could impact their clients’ security, availability, processing integrity, confidentiality, or privacy. SOC 3 reports are general use reports that can be freely distributed to anyone who needs assurance about the controls at a service organization.

The company should determine which report they need based on their business needs and the needs of their clients. They should also consider which report will provide the most value to their clients.

At Airius, we depend on our friends at A-Lign to provide auditors and experience with the SOC reporting and auditing process. We work closely with companies to get them through it.

In The News

• World
  • U.S. House Speaker Kevin McCarthy has begun working in earnest to persuade his fellow Republicans to support a $1.5 trillion increase in the nation’s debt ceiling.
  • Leaked top secret intelligence assessments show Washington warned Kyiv that defending besieged Bakhmut was costing too many casualties and would inevitably fail.
  • Fighting in Sudan between forces loyal to two top generals has put Africa’s third-largest country at risk of collapse and could have consequences far beyond its borders.
• SpaceX and Elon Musk
  • SpaceX’s giant new rocket exploded minutes after blasting off on its first test flight Thursday and crashed into the Gulf of Mexico.
  • Elon Musk's wealth drops by nearly $13 billion — the biggest slide this year — after Tesla's share prices slumped and SpaceX's Starship rocket exploded.
  • SpaceX’s gigantic Starship rocket blasts off and then explodes in its first test flight.

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com. 

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.

Coming Soon

• AI engines
• HIPAA Compliance
• Political choices and reputational risk
• GDPR

Copyright and Attribution Statement

• Ernest M. Park, Airius, LLC, 2023

License

• http://creativecommons.org/licenses/by/3.0/

References and Credits

• https://en.wikipedia.org/wiki/System_and_Organization_Controls
• https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-1
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc-2
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc-3
• https://clearwatercompliance.com/blog/understanding-risk-assessment-frameworks-and-how-they-help-reduce-vendor-risks/
• https://www.pluralsight.com/guides/selecting-a-risk-management-framework-for-your-organization
• https://www.investopedia.com/articles/professionals/021915/risk-management-framework-rmf-overview.asp
• https://www.smartsheet.com/content/enterprise-risk-management-framework-model
• https://www.johansonllp.com/blog/benefits-of-soc-2-compliance
• https://www.vumetric.com/blog/4-benefits-soc-compliance/
• https://secureframe.com/blog/soc-2-compliance-guide
• https://resources.infosecinstitute.com/topic/overview-understanding-soc-compliance-soc-1-vs-soc-2-vs-soc-3/
• https://socreports.com/audit-overview/soc-1-vs-soc-2
• https://socreports.com/white-papers/soc-1/why-a-new-standard
• https://bing.com/search?q=parts+of+the+SOC+standard
• https://www.bls.gov/soc/soc_2010_class_and_coding_structure.pdf
• https://www.crowdstrike.com/cybersecurity-101/security-operations-center-soc/
• https://bing.com/search?q=what+are+the+parts+of+the+SOC+standard
• https://resources.infosecinstitute.com/topic/overview-understanding-soc-compliance-soc-1-vs-soc-2-vs-soc-3/
• https://workos.com/blog/soc-1-soc-2-soc-3
• https://sprinto.com/blog/soc-1-soc-2-soc-3/
• https://secureframe.com/hub/soc-2/soc-1-vs-soc-2-vs-soc-3
• https://www.scrut.io/post/pick-the-right-soc-2-auditor
• https://secureframe.com/blog/soc-audit
• https://secureframe.com/hub/soc-2/audit-process
• https://www.lepide.com/blog/soc-audit-checklist/
• https://www.micpa.org/stay-informed/news/2021/01/11/how-to-choose-the-right-soc-2-auditor
• https://www.dashsdk.com/resource/selecting-a-soc-2-auditor/
• https://www.sfgate.com/news/article/spacex-takes-second-shot-at-launching-biggest-17907678.php
• https://www.msn.com/en-us/money/markets/elon-musk-s-wealth-drops-by-nearly-13-billion-the-biggest-slide-this-year-after-tesla-s-share-prices-slumped-and-spacex-s-starship-rocket-exploded/ar-AA1a7Ozz
• https://www.nbcnews.com/science/space/spacexs-starship-rocket-blasts-first-test-flight-rcna79988
• https://news.sky.com/story/starship-launch-latest-elon-musks-spacex-gets-ready-for-first-test-launch-of-worlds-biggest-and-most-powerful-rocket-12859338
• https://www.space.com/news
• https://www.nytimes.com/2023/04/20/science/spacex-launch-explosion-elon-musk.html